What is a network security assessment?

A network security assessment is a structured evaluation of your IT network infrastructure to identify vulnerabilities, misconfigurations, and security gaps. It typically covers perimeter defences, identity and access controls, endpoint protection, data backup, and security awareness — producing a scored report with prioritised remediation recommendations.

How long does the VP Audit assessment take?

The VP Audit assessment takes approximately 5 minutes. You answer 15 targeted questions across 5 security domains. Once complete, your scored report is generated instantly — no waiting, no account required.

Is VP Audit free to use?

Yes. VP Audit is completely free. There is no account, subscription, or payment required. Your answers never leave your browser — the scoring happens entirely client-side.

What security domains does VP Audit cover?

VP Audit covers five security domains: Perimeter & Connectivity (firewall, VPN, remote access), Identity & Access Management (passwords, MFA, privilege), Endpoint Security (patching, AV, MDM), Data & Backup (backup frequency, encryption, recovery testing), and Awareness & Response (staff training, incident response, phishing).

Can I export my security assessment results?

Yes. VP Audit generates a personalised PDF report with your organisation name, score breakdown, findings by severity, and remediation recommendations. The PDF is generated in your browser and can be downloaded immediately.

Security Scoring

Network Security Score Explained — What Your 0-100 Rating Means

3 May 2026 · 6 min read · VantagePoint Networks

A network security scoreis a 0–100 rating that summarises the security posture of an organisation's IT infrastructure across multiple domains. Scores are calculated by assessing the presence and quality of controls in areas like perimeter security, identity management, endpoint protection, backup, and staff awareness — then weighting each finding by severity and aggregating into a single number. The score provides a benchmark for current posture, a target for improvement, and a basis for prioritising remediation.

The 4 Risk Bands

80–100

Low Risk

Strong baseline security controls in place. Your organisation has implemented the foundational controls across most or all domains. Focus shifts to continuous improvement, monitoring, and annual re-assessment rather than emergency remediation.

Typically: Organisations with an active IT security programme, Cyber Essentials certification, or recent professional assessment.

60–79

Moderate Risk

Key controls in place but meaningful gaps exist. High-severity findings are present that increase your exposure to common attacks. These gaps should be addressed within 30–60 days.

Typically: SMBs with reasonable IT hygiene who have not had a recent security review. Often missing MFA on some services, with some unpatched systems.

40–59

High Risk

Significant exposure across multiple domains. Multiple high-severity gaps that individually could result in a breach. A structured remediation plan across all domains is needed urgently.

Typically: Networks that have grown organically without security reviews. Common findings: no MFA, flat network, inconsistent patching, no tested backup.

0–39

Critical Risk

Fundamental controls are missing. The network is highly vulnerable to common attacks that are automated and ongoing. Immediate action is required — the question is not whether a breach will occur, but when.

Typically: Networks that have never been assessed. Often includes default credentials, no MFA, unsegmented flat network, no backup, no endpoint protection.

How Domain Scores Contribute to Your Overall Rating

An overall score is a weighted average across five security domains. Not all domains carry the same weight — controls that directly prevent breach entry or escalation are weighted more heavily than supporting controls like awareness training.

Perimeter & Connectivity

Controls direct external access to your network. Firewall misconfigurations and exposed services are the first step for most attackers.

25%High impact

Identity & Access Management

MFA alone blocks 99.9% of automated account compromise. Identity is the most attacked attack surface for SMBs.

25%High impact

Endpoint Security

Unpatched endpoints with known vulnerabilities are the second most common entry point. Endpoint protection prevents malware execution.

20%High impact

Data & Backup

Backup does not prevent breaches, but determines survivability. A tested backup is the difference between a recoverable incident and a catastrophe.

20%Medium impact

Awareness & Response

Phishing training reduces human risk. Incident response plans reduce recovery time. Important, but lower weight than technical controls.

10%Supporting

What Moves Your Score the Most

+15–20 pts

Enable MFA on all internet-facing services

MFA is a critical control in the Identity domain. Missing MFA on email or VPN alone drops your Identity score significantly.

+10–15 pts

Patch all systems within 14 days

Consistent patching across all endpoints and servers directly improves your Endpoint Security domain score.

+8–12 pts

Implement basic network segmentation

Flat networks are flagged as High risk in the Perimeter domain. Even basic VLAN separation improves this significantly.

+5–8 pts

Test backup restore

An untested backup scores lower than a confirmed-working backup. Documented, tested recovery is the target.

+5–8 pts

Remove stale user accounts

Stale accounts are a high-severity finding in Identity. A clean account audit resolves this quickly.

Frequently Asked Questions

What is a good network security score?

A score of 80 or above indicates a strong security baseline with Low Risk. Most SMBs starting their security journey score in the 40–65 range. A score below 40 indicates fundamental controls are missing and immediate action is needed before a breach occurs.

How is a network security score calculated?

Network security scores are calculated by evaluating controls across multiple security domains (perimeter, identity, endpoints, backup, awareness), weighting each control by risk severity, and aggregating into a 0-100 score. Critical controls like MFA and patching have higher weight than operational items.

What should I do if my security score is low?

Start with the Critical and High findings from your assessment report. These represent the highest risk exposure and should be addressed within 30 days. For scores below 40, consider engaging a professional network security assessor to help prioritise and implement fixes.

Find Out Your Score

Answer 15 questions across the 5 domains above and get your 0–100 security score with domain breakdown and prioritised findings — free, no account required.

Get My Security Score →

← Back to Blog